Ekubo Contract Suffers $1.4M Exploit on EVM Networks
BTC
-0.05%
ETH
-1.30%
1INCH
+0.44%
RVN
-0.25%
DOT
+1.55%
REN
+3.31%
The DeFi protocol Ekubo has fallen victim to a security exploit on its token exchange contract across EVM networks, resulting in an estimated $1.4 million in losses. The incident, reported by the Ekubo team on May 5, 2026, specifically targeted an auxiliary contract, leaving liquidity providers and the Starknet version of the platform unaffected.

Ekubo Contract Exploited for $1.4 Million on EVM Networks

On May 5, 2026, the DeFi protocol Ekubo confirmed an active security incident affecting its swap router contract on EVM chains. The project team swiftly advised users to revoke all outstanding approvals to prevent further compromise. Security firm Blockaid later confirmed the attack, identifying it as an exploit on a custom auxiliary Ekubo contract on Ethereum.

Attack Targets Auxiliary Ekubo Contract, Not Core Protocol

According to Ekubo developers, the exploit did not impact liquidity providers or the Starknet version of their platform. Blockaid clarified that only users who had previously approved this specific v2 contract as a spender were at risk. The preliminary damage was estimated at $1.4 million.

Flaw in Callback Mechanism Led to Funds Drain

Blockchain security firm Blockaid attributed the exploit to a flaw within the callback mechanism of the auxiliary contract. This vulnerability allowed attackers to inject arbitrary values into payment requests, specifying the payer, token, and amount without proper verification. If a user had an existing ERC-20 approval, the attacker could designate the victim’s address as the payer. This enabled the attacker to initiate a call through Ekubo Core, forcing the contract to transfer tokens via the transferFrom function.

Stolen Funds Laundered via Tornado Cash

Cos, founder of SlowMist, provided further insight, noting one user had granted unlimited approval to the Ekubo contract 158 days prior. The attacker executed 85 transactions, each withdrawing 0.2 WBTC, totaling 17 WBTC from that address. On-chain analyst Darkfost reported that the stolen funds were sent to Velora, converted into approximately $404,000 in USDC, $403,000 in DAI, and 239.5 ETH, before being moved to the crypto mixer Tornado Cash.

Broader Context: A Spike in Crypto Hacks

This incident occurs amidst a record-high period for crypto industry hacks. Analysts at DefiLlama recorded over 20 incidents in April 2026 alone. Major exploits that month included the Kelp protocol, which suffered a $292 million loss, and an attack on Drift, resulting in $280 million in damages.

In response to the exploit, Ekubo has advised all users to revoke any outstanding approvals given to their contracts. The team also issued a warning about potential phishing attempts targeting affected users. This incident underscores the critical importance of regularly reviewing and revoking token approvals in the DeFi space.

Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates